Attacks/Breaches
12/19/2012
06:51 PM
50%
50%

Cybercrime Inc.: The Business Of The Digital Black Market

Report by security vendor Fortinet examines the structure of the cyber underworld

Money makes the world go 'round -- especially the world of cybercrime, where criminal groups have exploded in both number and sophistication.

In a new report, researchers at Fortinet dig into how cybercrime organizations continue to grow and generate profits. In a world where services from botnet rentals to black hat search engine optimization (SEO) are all for sale, the money criminals stand to make can be significant. For example, for $80, the report notes, a cyber-ring can get 20,000 backlinks for SEO purposes.

Other services, such as CAPTCHA breaking -- at a cost of $1 per 1,000 CAPTCHAs -- and botnet rentals -- at a cost of $40 per 20,000 spam emails -- are available as well.

"I would say that the organizations before used to be a handful in terms of organized cybercrime -- think of the RBN [Russian Business Network]," says Derek Manky, senior threat researcher at Fortinet's FortiGuard Labs. "Everything from development to network infrastructure and management were essentially in-house to these operations. Nowadays, there's more organizations, thanks to crimeware, crime services, existing source code, etc."

Today's cybercriminal enterprise is a complex ecosystem that encompasses executives, recruiters, and foot soldiers responsible for initiating the actual infection.

"The organization’s 'executives' make decisions, oversee operations, and ensure that everything runs smoothly," according to the Fortinet report. "Just as with legitimate businesses, these executives set up the original business model and infrastructure. Once they get the operation off the ground, they then move to a business development role and hand off the 'dirty work' to the infantry and are not involved with launching attacks."

In order to recruit that infantry, recruiters and affiliate program leads establish Web portals, the report explains, many of which originate in Russia. Some are closed communities that are accessible by invitation only; others, however, are open to the public.

"Oftentimes to protect themselves, open portals include disclaimers on the site that say, 'We do not allow spam or other illicit methods for machine infection,' the report notes. "These are typically in place to put the legal responsibility on the infantry. These portals provide the infantry with all of the necessary information they require to begin an infection campaign. Among other things, these tools include illicit software, support forums, payment rates and tracking and a method in which to receive payments upon completing a certain number of infections."

Fortinet compares the people running the affiliate programs to middle managers who are recruited through "old boy" networks or underground forums.

"To properly arm the infantry, recruiters/affiliates must develop the programs used to infect other systems," the report notes. "These applications include, but are not limited to, fake antivirus software, ransomware, and even botnets."

Crime services such as the ones mentioned above are offered by middlemen at the infantry or syndicate level as a way to make more money, according to the report. And then there are the money mules, who allow the organization to launder its proceeds.

Money mules are often recruited through advertisements and are used to anonymously to move money from one country or bank account to another -- typically using anonymous wire transfer services such as Western Union, Liberty Reserve, U Kash, and WebMoney.

While the report mentions the importance of cracking down on rogue registrars and initiating botnet takedown operations, going after the money is also a great way to hit back on the enforcement side, Manky opines.

"Particularly, the affiliate sponsors -- the ones paying out the money to these PPI/PPP programs -- that is the Achilles heel," he says. "Without that sort of money flow, you take out the infantry [middlemen] who are getting paid via these sponsorship programs. I think it's a good idea, but realistically would require more dedicated resources on the enforcement side -- concentrating mainly on fraud through payment processors, money mules, and affiliate sponsors."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?